Reputation: 4755
Keeping Spring Cloud Config Secure in an Open Source Application
Some of my services require API secrets in their configurations. My project is open source, so I cannot store these secrets in the main repository.
Spring Cloud Config has the ability to connect to a private git repository to retrieve the secret configuration, but to do so requires credentials which I, again, cannot store in the main repository.
What is the best practice for storing secrets in an open source application when using Spring Cloud Config?
Upvotes: 1
Views: 102
Answers (1)
Reputation: 62575
In both open source and closed source applications, credentials should not be stored with the source code.
Multiple solutions exist to store credentials, you can store them into environment variables, into a property file added in .gitignore or if you want a more elaborate solution you can use a dedicated tool such as HashiCorp Vault. There is an interesting official Spring blog post exploring this solution : Managing Secrets with Vault.
Upvotes: 1
Related Questions
- Externalizing spring boot/security configuration
- How to Secure Spring Cloud Config Server
- spring cloud config best practice?
- What is the best way to secure spring cloud config?
- Configuring security in a Spring Boot application
- Encryption in Spring Cloud Config
- Spring Cloud Config - Encrypt Password
- Spring Cloud Config Server - Security Details
- how to implement spring cloud config server security with docker
- Code-based Spring Security Configuration